KeePass DX Lite #1468
Description
Is your feature request related to a problem? Please describe.
KeePass DX has way to many moving parts/complexity for basic use case. I was trying to help someone to get their DB opened over video chat and came to realization that KeePass DX (and other alternatives) is way too flexible for the simplest use case of just keeping passwords on your phone securely (including backups in case the device is stolen/broken).
The problem is that DB file + key file + password is a huge search space (all filesystem locations, possibility of hidden files etc.) to get it to just work again. That is if you mess up your default DB settings, trying to guess where the DB file is located, where key file is and what password was used is a huge ask for many users.
Describe the solution you'd like
I would like to have a fork (or a mode) for this app that works to solve the base requirements like this:
- store passwords securely on one device
- seamless backups with Google backup (or whatever app backup is already used) but not compromising security (backup restore is not enough to access the data)
- use of phone security mechanisms (finger print, pin or whatever) instead of password
- easy way of exporting the password protected DB file (standard KeePass file) for migration to new device, offsite backup etc
- easy import of existing KeePass DB files, by merging (so multiple DBs/versions can be merged in)
So the way it would work is:
- the app keeps the KeePass DB file in it's internal files, and only one file per app instance
- when first started the app will initialize new internal KeePass DB file:
** the app will create an empty KeePass DB file in it's internal file store (not accessible to other apps)
** it will generate a random password
** it will present the password to the user in form of pass words or serial key like form (or other easy to write down way)
** it will ask user to write down the password on piece of paper for future recover and store it in a safe place (e.g. safe or drawer)
** it will ask to re-enter the password to verify it you got it written down correctly
** it will ask you to use finger print reader (or other mechanism) and store the password behind that mechanism - another run of the application:
** just ask for fingerprint (or other mechanism) and open the DB - once DB is opened, in setting view
** offer option to import (merge) external DB file (select file, enter password, select key (optional)) and merge in the content
** offer option to export the internal DB file to external storage: select directory, file name, enter new password (twice), optionally select key file to protect the DB file
Handing backups and recovery:
- let whatever app backup/restore method is used to store/restore the internal KeePass file
- when app is first run after the restore the fingerprint will not have the password for the DB available
- ask user for the recovery password that they have written down on paper to be typed in
- set up fingerprint (or other mechanism) and open the DB
This way the user experience should be as straight forward as it gets, secure enough for most people and also resilient against loss. Further allow for import export is critical as we don't want to lock data in.
Describe alternatives you've considered
I thing this would have to be a separate edition of the app, but it would be 95% same application.
This is so I can point someone to KeePass Lite and they get to set it up themselves trivially (give some time for writing down and re-typing recovery password). And then they cannot make it to stop functioning by any way that you can break KeePass DX (or other implementations) like moving files around, forgetting file locations, forgetting password or any combination of these.
Additional context
I think having a simplified version of KeePass that still respects your freedom (import/export) would be very beneficial for security of many people that don't want to mess with paid web services and just need their passwords stored securely in their pocket.